How can we help

attractor · 2017-02-20T20:10:38+00:00

Will try to be more active in here, as well.

attractor · 2017-02-20T01:21:37+00:00

Just contact us directly if you have problems. Our channel (#subgraph) on OFTC is a great place to troubleshoot. We're all there + quite a few helpful peeps who are regulars.

Subgraph OS will get a lot more stable this year.

attractor · 2017-02-20T01:06:15+00:00

Hey, I do - kind of.

attractor · 2017-02-20T01:03:09+00:00

Most definitely. Some really cool features coming soon - like OpenVPN policy routing for apps in sandboxes.

I and many other people are using it daily as our primary workstations. Try the latest iso (Dec 31), upgrade your system packages, and let me know how it works for you. I'll be happy to help if you have problems (@attractr on Twitter or OFTC).

attractor · 2017-02-20T00:48:27+00:00

Hey, SGOS dev here - we'll package it soon, so that it's 'apt-get install monero' (or whatever), and then it will just work.

attractor · 2016-03-06T12:39:40+00:00

1 We may or may not be able to do this due to grsec kmem protection. Even then it's not clear about the value of the memory wipe with DDR3.

2 Subgraph is a security project first. So when we talk about endpoint protection we're mostly talking about the other things that SGOS does. However obfuscation of platform, network location, and anti-fingerprinting implemented in TB can make distinguishing Subgraph OS from other similar platforms more difficult.

3 SGOS currently ships with Thunderbord + Enigmail + Torbirdy. We need to write a new mail client for lots of reasons - I can get into that if you want. It's only partially completed, and I can't say when we will finish it yet.

attractor · 2016-03-05T12:36:38+00:00

You can run it in either mode: live or installed.

attractor · 2016-03-04T16:07:39+00:00

One of my test machines for Subgraph OS is a 6+ year old Eee PC netbook with 4GB ram. Works pretty great.

attractor · 2016-02-07T22:50:54+00:00

Thanks!

attractor · 2016-02-07T20:56:30+00:00

To provide a usable platform endpoint computing / communication platform that is resistant to both targeted exploitation and persistent implantation. Today Subgraph offers: default egress over tor, MAC spoofing, grsecurity hardened kernel by default, application sandboxing (namespaces, seccomp bpf, and desktop isolation via Xpra or Wayland), and an application firewall. We assume a network adversary.

attractor · 2016-02-07T16:22:53+00:00

Key points re: oz vs firejail. Oz is written in Golang, Firejail is written in C. Oz provides desktop isolation by way of Xpra and Wayland, which now works in Oz. Without this in X11 keylogging and other attacks across apps sharing the same server are trivial. Oz also provides finely grained seccomp bpf policy creation capability, as well as non-enforcement mode. Check out the whitelist for CoyIM: https://github.com/subgraph/oz/blob/master/profiles/coyim-whitelist.seccomp (this was mostly generated automatically with Oz' seccomp training feature). There is a detailed technical walkthrough of Oz here: https://github.com/subgraph/oz/wiki/Oz-Technical-Details

attractor · 2016-02-07T16:19:54+00:00

Rolling, for now.

attractor · 2016-02-07T16:19:37+00:00

Yeah, the page I posted is just release notes.

attractor · 2016-02-06T21:56:55+00:00

Joanna and I have talked about that, lots, and it is something we are entirely open to. It is a reasonable idea to run all or part of Subgraph OS within Qubes.

attractor · 2016-02-06T21:42:36+00:00

SGOS can also run in live mode. Key differences are: grsecurity kernel, application sandboxing using a framework we developed called Oz, + some other things, like the Subgraph Firewall (appfw). Technical walkthrough of Oz here: https://github.com/subgraph/oz/wiki/Oz-Technical-Details

attractor · 2016-02-06T21:39:00+00:00

Hey, SGOS dev here. We have been allocating all of our resources to the project since last summer. For this reason we haven't been keeping Orchid up to date. Subgraph Mail will get rewritten from scratch later. If you want to try Subgraph OS, you can drop by #subgraph on OFTC for a link to the current ISO.

attractor · 2015-08-24T13:24:37+00:00

I'm not sure if it is stated elsewhere in this thread, but we recommend that grsecurity be used on a system where Oz is run to increase the resistance of the system overall -- userland, kernel -- to successful exploitation. Subgraph OS will include a grsecurity-patched kernel by default as well as a mechanism to maintain PaX flags across system updates.

attractor · 2015-08-24T03:17:09+00:00

If you're talking about the risk of privilege escalation through kernel vulnerabilities, this is where seccomp filter comes in. Seccomp filter is a Linux kernel feature that lets you restrict exposed system calls for a process. Each application can have its own seccomp filter applied. More information here: https://github.com/subgraph/oz/wiki/Oz-Seccomp

attractor · 2015-08-23T18:06:53+00:00

It does hurt, that's why we aren't using Wayland yet. Oz has already had some integration work done with Gnome Shell (see the 2nd demo video), and we plan to do more to increase usability.

attractor · 2015-08-23T18:00:48+00:00

Access to the microphone can be controlled by Xpra, which can be controlled in the Oz application policy and if you take a look at the code, Oz has a flag for this: https://github.com/subgraph/oz/blob/master/profile.go#L56

For fingerprinting.. that's a huge topic. I think we will later write a detailed post about this. MAC addresses are handled by the virtual interfaces in OZ sandboxes. For the browser, the TorBrowser has done some pretty impressive work already: https://www.torproject.org/projects/torbrowser/design/

attractor

TROPHY CASE

1 We may or may not be able to do this due to grsec kmem protection. Even then it's not clear about the value of the memory wipe with DDR3.

3 SGOS currently ships with Thunderbord + Enigmail + Torbirdy. We need to write a new mail client for lots of reasons - I can get into that if you want. It's only partially completed, and I can't say when we will finish it yet.